Threat actors compromised Nordstrom's email marketing system, reportedly via an Okta SSO and Salesforce Marketing Cloud breach, to send fraudulent St. Patrick's Day cryptocurrency scam emails to customers. The scam promised to double crypto deposits, resulting in over $5,600 being sent to the attackers' wallets.
Initial Access
SSO System Breach
likely
Threat actors gained unauthorized access to Nordstrom's Okta SSO system, which was reported by a source familiar with the incident.
Defender cut points
Enforce phishing-resistant FIDO2 MFA for all Okta SSO users, especially administrators.Implement continuous monitoring of Okta logs for unusual login patterns or failed authentication attempts.
